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1.  Research  Progress 


A.  Certified  Mgltal  Signatures 

Digital  signatures  provide  a  logical  equivalent  to  written  signa¬ 
tures  yet  can  be  transmitted  over  normal  electronic  communication  chan¬ 
nels,  e.g.,  telephones,  radios,  digital  networks,  etc.  Ib.ey  hold  great 
promise  for  electronic  communications  by  allowing  new  levels  of  authen¬ 
tication  and  accountability  in  dealings  conducted  over  telecommunication 
channels. 

Although  public  key  cryptosystems  can  be  used  to  generate  digital 
signatures,  certification  of  public  key  cryptosystems  is  a  major  prob¬ 
lem.  We  have  developed  a  new  digital  signature  system  which  is  "pre¬ 
certified,"  in  the  sense  that  it  only  depends  on  the  existence  of  a 
one-way  function.  (A  conventional  cryptosystem  can  even  be  used  to  gen¬ 
erate  a  one-way  function,  and  many  such  systems  are  available  and 
already  certified.)  The  new  method  generates  signatures  of  about  15 
kilobits  (2  kilobytes),  requires  a  few  thousand  applications  of  the 
underlying  one-way  (or  encryption)  function  per  signature,  and  only  a 
few  kilobytes  of  memory. 

B.  Factoring  and  Random  Graphs 

The  problem  of  factoring  large  numbers  has  Interested  mathemati¬ 
cians  since  ancient  times,  and  has  gained  additional  practical  impor¬ 
tance  through  recently  developed  public  key  cryptosystems  tdilch  depend 
on  the  difficulty  of  fectorlng  for  their  security.  The  fastest  factor¬ 
ing  method  known  at  present  is  due  to  Richard  Sch.roeppel,  and  he  has 
suggested  an  improvement  triilck  he  thought  might  speed  it  up  even 
further.  We  have  analyzed  his  suggested  Improvement  and  shown  that  it 
should  not  Increase  the  speed  of  the  algorithm. 

Schroeppel's  factoring  method  depends  on  finding  a  set  of  binary 
n-vectors  (vectors  with  n  entries,  each  either  0  or  1)  which  are  depen¬ 
dent  (one  of  them  can  be  written  as  a  binary  sum  of  the  others).  His 
improvement  generates  a  set  of  such  vectors  with  only  two  I's  and  n-2 
0's. 
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It  Is  known  that,  if  the  vectors  had  a  single  1  and  n-1  0's,  then 
only  about  square  root  of  n  vectors  would  be  needed  before  a  dependent 
subset  could  be  found.  (This  is  an  instance  of  the  "Birthday  Problen". 
Only  23  people  are  needed  in  a  room  for  there  to  be  better  than  a  507 
chance  of  at  least  two  of  them  having  a  birthday  in  common.  If  there 
were  n  days  in  the  year,  about  square  root  of  n  people  would  be  needed 
before  there  would  be  appreciable  chance  of  an  overlap.) 

If  the  vectors  were  chosen  with  half  0's  and  half  l's,  then  about  n 
vectors  would  be  needed  before  a  dependence  would  be  expected* 

Because  the  vectors  generated  by  Schroeppel's  modification  have  two 
l's,  it  might  be  hoped  that  the  behavior  would  be  close  to  that  of  vec¬ 
tors  with  a  single  1,  in  \d\ich  case  only  about  square  root  of  n  of  them 
would  be  needed  before  a  dependence  would  be  expected ,  and  the  modifica¬ 
tion  would  increase  the  speed  of  factoring.  If,  however,  the  behavior 
of  vectors  with  two  l's  were  closer  to  that  of  vectors  with  half  l's  and 
half  0's  (where  about  n  are  needed  for  a  dependence),  the  modification 
would  not  Increase  speed. 

We  have  recast  this  question  in  terms  of  graph  theory  and  have 
utilized  a  result  of  Frdos  and  Renyl  on  the  evolution  of  random  graphs 
to  show  that  approximately  n  vectors  are  needed  in  the  modification,  so 
it  is  not  an  Improvement.  In  setting  up  the  equivalence,  dependent  sets 
of  vectors  are  equated  to  complete  cycles  in  the  graphs.  For  example,  a 
graph  \dvich  connects  node  2  to  node  3,  node  3  to  node  5,  and  node  5  back 
to  node  2  possesses  a  complete  cycle. 

In  our  equivalence,  a  connection  between  two  nodes  corresponds  to 
choosing  a  vector  with  its  two  l's  In  those  locations.  For  example,  the 
vector  01100  corresponds  to  connecting  nodes  2  and  3,  00101  corresponds 
to  connecting  node  3  to  node  5,  and  01001  corresponds  to  connecting  node 
5  back  to  node  2.  It  is  seen  that  the  complete  cycle  (2  to  3  to  5  to  2) 
corresponds  to  a  dependent  subset  since  the  first  two  vectors  add  to 
01201,  which  is  the  same  as  the  third  vector  01001  in  binary  arithmetic. 

The  question  of  how  many  binary  n-vectors  are  needed  before  finding 
a  dependent  subset  becomes  the  question  of  how  many  edges  are  need  in  a 
random  graph  with  n  vertices  before  a  complete  cycle  occurs.  Erdos  and 
Renyl  showed  thet  0(n),  not  0(n  '*)  are  needed.  Vectors  with  two  l's 
therefore  behave  almost  the  same  as  vecotrs  with  n/2  l's  so  far  as 
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dependence  is  concerned. 

C.  Compact  Knapsacks 

We  are  also  investigated  fast  methods  for  solving  "compact  knap¬ 
sack"  problems:  Given  S  and  an  n-vector  of  integers,  ja,  find  an  n- 
vector,  jx,  with  each  component  an  integer  in  the  range  (0,B),  such  that 
_a*2t  ■  S.  The  usual  knapsack  problem  corresponds  to  B=l,  in  which  case  jc 
is  a  binary  n-vector.  Compact  knapsacks  have  an  advantage  in  that  a 
smaller  vector  compresses  a  greater  amount  of  data  in  a  one-way 
fashion.  Although  our  results  are  not  complete,  they  indicate  that  the 
complexity  of  solving  compact  knapsacks  grows  exponentially  in  n  but 
only  polynomially  in  b,  where  R»2**b.  This  further  indicates  that  com¬ 
pact  knapsacks  may  gain  little  over  binary  knapsacks. 

D.  NP-complete  Problems 

In  our  study  of  NP-coraplete  problems,  we  attacked  a  major 
unanswered  question  in  the  theory  of  computation:  "Do  there  exist  compu¬ 
tational  problems  for  which  it  is  easy  to  check  that  a  proposed  solution 
is  correct,  but  for  which  it  is  in  general  very  difficult  to  find  the 
correct  solution?"  Most  investigators  believe  that  the  answer  to  this 
question  is  affirmative,  but  this  has  not  yet  been  proven.  A  negative 
answer  would  imply  that  many  problems  thought  to  be  difficult,  such  as 
factorization  of  large  numbers  and  optimal  scheduling  or  routing,  would 
be  easily  solved. 

We  provided  evidence  that  the  answer  to  the  above  question  is 
affirmative  by  studying  computers  trtiich  have  access  to  a  tape  of  random 
numbers.  For  such  computers,  and  for  almost  all  tapes  of  random 
numbers,  we  found  problems  that  are  hard  to  solve  but  easy  to  check.  We 
have  also  suggested  hov  such  random  tapes  can  be  simulated  by  determin¬ 
istically  generating  "pseudorandom"  numbers  by  a  complicated  but  effi¬ 
cient  computer  program,  thus  introducing  a  class  of  problems  that  may 
someday  be  shown  to  be  bard  to  solve  but  easy  to  check. 
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F.  Indices  in  GF(qm) 

The  problem  of  computing  indices  in  a  finite  field  GF(qm)  is  of 
importance  to  the  Mffie-He  liman  public  key  distribution  system.  Pohlig 
and  Heilman  developed  an  improved  algorithm  for  this  problem,  but  it  is 
only  of  value  for  a  small  fraction  of  finite  fields.  Merkle  and  Adleman 
have  developed  another  algorithm  which  is  generally  applicable  in  GF(q). 
We  have  extended  this  algorithm  to  deal  with  extension  fields  GF(qm). 
Irreducible  polynomials  play  the  role  of  primes,  and  the  sub exponential 
computation  time  of  the  Merkle-Adleman  algorithm  is  retained. 
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